Microsoft Tunnel for Mobile Application Management

Note

This capability is available when you add Microsoft Intune Plan 2 or Microsoft Intune Suite as an add-on license. For more information, see Use Intune Suite add-on capabilities.

When you use the Microsoft Tunnel VPN Gateway, you can extend Tunnel support by adding Tunnel for Mobile Application Management (MAM). Tunnel for MAM extends the Microsoft Tunnel VPN gateway to support devices that run Android or iOS, and that aren't enrolled with Microsoft Intune. With this solution, your users can use a single device that isn't enrolled with Intune to gain secure access to the organizations on-premises apps and resources using modern authentication, single sign-on, and Conditional Access. With Tunnel for MAM, your users can use their own device (BYOD) for both work and personal use, without having to grant the organization's IT department control over that device.

Applies to:

  • Android
  • iOS/iPadOS

Platform requirements and feature overview

Before you begin, you must already have deployed the Microsoft Tunnel gateway. To learn more about Microsoft Tunnel gateway and how to install and configure it, see:

Microsoft Tunnel for MAM supports the following platforms:

  • Android Enterprise version 10.0 or higher
  • iOS version 14.0 or higher

The following table identifies key features for the supported platforms:

Requirements and Features Tunnel for Android Tunnel for iOS
Requirements: - Company Portal app (sign-in not required)

- Defender for Endpoint app
- No Company Portal app or Defender for Endpoint app requirement
Features: - VPN is provided via the Defender for Endpoint app:
--- Per App VPN
--- Device-wide VPN

- Auto-launch: VPN automatically starts on app launch
- VPN is provided via Tunnel for MAM SDK for iOS integration

- Per-App VPN. Tunnel connection is restricted to each targeted app

- Auto-launch: VPN automatically starts on app launch

- No Device-wide VPN

- Trusted root certificate support for on-premises CA trust

Line of Business app requirements - Intune App SDK for Android

- Microsoft Authentication Library (MSAL) integration
- Intune App SDK for iOS

- Microsoft Authentication Library (MSAL) integration
--- Microsoft Entra App registration

- Tunnel for MAM SDK for iOS
Microsoft Edge browser support: - Strict Tunnel Mode: When users sign into Microsoft Microsoft Edge with an organization account, if the VPN isn't connected, then Strict Tunnel Mode blocks internet traffic. When the VPN reconnects, internet browsing is available again.

- Identity switch: VPN connects when using a work or school account and disconnects when switching to a personal account or in-Private browsing.

- Device-wide and Per-App VPN support
- Strict Tunnel Mode: When users sign into Microsoft Edge with an organization account, if the VPN isn't connected, then Strict Tunnel Mode blocks internet traffic. When the VPN reconnects, internet browsing is available again.

- Identity switch: VPN connects when using a work/school account and disconnects when switching to a personal account or in-Private browsing.
Third-party browser support: - Only with device-wide VPN enabled - None

Try the interactive demos

Try the following interactive demos to discover how Tunnel for MAM extends Microsoft Tunnel VPN Gateway to support Android and iOS devices that aren't enrolled with Intune.